Hacker leaks 20 million alleged BigBasket user records for free

A threat actor has leaked approximately 20 million BigBasket user records containing personal information and hashed passwords on a popular hacking forum.

BigBasket is a popular Indian online grocery delivery service that allows people to shop online for food and deliver it to their homes.

This morning, a well-known seller of data breaches known as ShinyHunters posted a database for free on a hacker forum that he claims was stolen from BigBasket.

BigBasket database leaked for free

In November 2020, BigBasket confirmed to Bloomberg News that they had suffered a data breach after ShinyHunter had previously tried to sell the stolen data in private sales.

“There’s been a data breach and we’ve filed a case with the cybercrime police,” BigBasket CEO Hari Menon told Bloomberg News. “The investigators have asked us not to reveal any details as it might hamper the probe.”

As is typical for older breaches privately sold by ShinyHunters, the threat actor has now released the whole database for free, which reportedly contains more than 20 million user records.

Infamous threat actor ShinyHunters just leaked the database of BigBasket, a famous Indian online grocery delivery service. (@bigbasket_com)

20,000,000+ clients affected and information such as emails, names, hashed passwords, birthdates and phone numbers were leaked. pic.twitter.com/tD5TMxNkH7 — Alon Gal (Under the Breach) (@UnderTheBreach) April 25, 2021

The database includes BigBasket customer information, including email addresses, SHA1 hashed passwords, addresses, phone numbers, and other assorted information.

Sample of records in the database

The passwords are hashed using the SHA1 algorithm, and forum members have claimed to crack 2 million of the listed passwords already. Another member claims that 700k of the customers used the password ‘password’ for their accounts.

In the past, ShinyHunters has been responsible for or involved in other data breaches, including Tokopedia, TeeSpring, Minted, Chatbooks, Dave, Promo, Mathway, Wattpad, and many more.

What should BigBasket customers do now?

As BleepingComputer has confirmed that some of the records are accurate, including information specific to the BigBasket service, customers should play it safe and assume that their customer info has been leaked as well.

It is strongly suggested that all BigBasket users immediately change their passwords on BigBasket and at any other sites using the same password.

A password manager is recommended to help you manage the unique passwords you use at different sites.

Source

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s